Here's what we know will happen in the short term: There are 5 RIRs (Regional Internet Registries) for different parts of the world -- AfriNIC, APNIC, ARIN, LACNIC, and the RIPE NCC. These organizations get address blocks from the IANA and dole them out to ISPs and other entities in their regions based on their own policies.

Each of the RIRs still has some IPv4 addresses left, but various models show them starting to run out within about a year. After that, at some point, ISPs will begin to run out. The models are less clear on this. Stephan Lagerholm's ipv4depletion.com calculates that the first RIR to run out will be APNIC (Asia-Pacific Network Information Centre) in 228 days (as I write this), but it has the last RIR depletion date in December, 2016. That may sound odd, but there still are over 500 million free addresses by his calculation and it's not hard to see that these things get consumed faster in different parts of the world.

Consumer Market isn't Ready for IPv6

At the same time, there is a new addressing scheme, IPv6, which is unfortunately incompatible with the existing one, but which has an address space so large that we may just take it with us to the first few planets we colonize. Even though IPv6 has been up and running for many years and support for it has been in just about every operating system for ages (Windows XP has had it as a core network protocol since SP1 in 2002), actual use of IPv6 is rare. Hardware support for it is good in business-oriented equipment, but it's unusual for consumer equipment or consumer ISPs to support it. So if things were to be in this state when the well runs dry, we would start seeing sites and users having trouble getting Internet connectivity.

By the way, June 16, 2011 is World IPv6 Day. The Internet Society is trying to arrange a 24 hour test run of IPv6 with the various parties who would need to be involved, generally websites and network operators. I guess we have to start somewhere, and some companies -- Google comes to mind -- have been ahead of the curve on this. But Google's IPv6 content does me no good if my networking equipment and ISP don't support IPv6. And they don't. If you're a normal consumer, go try to do better than I did: Comcast and Verizon have limited tests of IPv6 going on, but if you're not in a test area you're SOL, and go try to buy a consumer router that supports IPv6.

Not that bad, but not good. The technology is mature enough, but our implementations, especially on the consumer side, are utterly unprepared:

Our networking hardware, as I said above, is not compatible. Some of it may be firmware-upgradable, but you gotta know that networking vendors want to sell you a new unit. I did a search on Amazon.com for IPv6 in networking equipment and didn't see much (for some reason I got a lot of hits on iPod skins), but the Apple AirPort supports IPv6.

Our applications are generally unprepared. Not all applications will break on IPv6, but it hasn't generally been considered bad form to assume IPv4 in an app, and many do.

Ourselves are unprepared. Do you know how to configure an IPv6 network? I wish I could say I did, but, as I said, I can't even get support for it from my provider, so there's not a lot I can do. I could use Teredo, which tunnels IPv6 traffic over IPv4 networks, but there are lots of problems with it and it's more of a hack than a solution. Why bother?

If Only IPv4 Addresses Could Be Sold

I rather suspect -- maybe hope is a better word -- that ISPs have been hoarding IPv4 addresses for this eventuality. Most of the consumer ISPs still give you a real, publicly-addressable IP address for your cable modem or whatever you use. But they don't have to. They could switch to what is known as 'supernatting': give you an address in a big private 10.x.x.x network. This will probably wreak havoc on many applications and consumers won't stand for it for long.

One solution that gets a lot of abstract support is to create a market for IPv4 addresses and let prices sort out the shortage. At some point the cost of IPv4 will be such that the free, or nearly free, IPv6 will be too attractive. This is completely logical and, in fact, a great idea. Too bad it can't be done.

I can't buy an IP address from you; I can lease it if you're an ISP. But there's no mechanism in the routing infrastructure for entities to resell IP address blocks allocated to them. Maybe there should be, but as far as I know, there isn't. It would be possible for such entities to donate blocks back to the IANA or RIR, and in fact some of this has happened. Back in the old days they handed out /8 blocks (16777216 addresses) pretty casually, and if you look at the map of them you'll see quite a few allocated to entities which probably don't need all that space. Lots to the Defense Department and other governmental entities, big companies: GE, Apple, Ford, HP, DEC (in other words HP), AT&T, Prudential Securities, duPont, Merck, Halliburton -- you get the idea. There's a lot of wastefully-allocated space out there. But even if you could recover all of it, it would only kick the can down the road. Until last year Interop owned a /8 address block. It's incomprehensible that they were granted one, but they had the decency to give it back in the end.

It's possible that some of those companies could become ISPs in order to monetize this valuable asset. Perhaps they would only need to partner with an ISP to do so. Quite a few of these entities could use the money (the US Postal Service, for example). And eventually ISPs will have to adjust costs to push their users onto IPv6; probably they'll allocate IPv6 address to everyone and then give incentives to customers to surrender their IPv4 addresses.

What makes me so sure things will be bad? If there's one thing that users hate, it's having to change their software. A whole lot of that is going to happen when we move to IPv6, and there's no way around it. We do have to move. People will be outraged that this came with no warning.

Larry Seltzer is a freelance writer and consultant, dealing mostly with security matters. He has written recently for Infoworld, eWEEK, Dr. Dobb's Journal, and is a Contibuting Editor at PC Magazine and author of their Security Watch blog. He has also written for Symantec Authentication (formerly VeriSign) and Lumension's Intelligent Whitelisting site.